CVE-2024-48123

CVE-2024-48123 is a vulnerability in the USB Autorun function of the HI-SCAN 6040i Hitrax HX-03-19-I device. It enables attackers to execute arbitrary code by uploading a crafted script from a USB device. The issue has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-426 (Untrusted Search Path). It was published on 2025-01-15.

Exploitation requires local physical access to the device, low privileges, and low attack complexity, with no user interaction needed. A threat actor, such as an insider or someone with brief physical access, can insert a USB drive containing a malicious script that autoruns and executes arbitrary code. This achieves high confidentiality and integrity impacts due to the changed scope, potentially allowing data exfiltration, modification, or privilege escalation on the affected system.

Further details, including potential mitigations, are available in the referenced research document at https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdf.